Monday, May 18, 2009

Desktopsmiley: Annoying and insecure

Some facts:1) desktopsmiley.com is ranked 287 in the world according to Alexa. This is simply stupefying to me, and testament to the fact that there are way too many oblivious people installing this crapware.2) The geniuses at Desktopsmiley.com have wrestled long and hard with the antiviruse vendors such that their latest installer doesn't trip a single signature per Virustotal. Further ground for to be much annoyed...and perhaps impressed at their obvious negotiation skills.3) Desktopsmiley.com has a privacy policy. Rejoice! Now we can all install it and know our data and our privacy is protected. Or not. Just read this dreck and you'll shudder at the clearly defined consequences of installing this "not spyware".

I am therefore inclined to point out that this spectacular product offering cares little for your privacy or your security.

Case in point 2x:That privacy page? Not so private. It's vulnerable to XSS, and I'm sure this isn't the only example.Explore for yourself: http://tinyurl.com/qv9zkw

Screen shot, if you prefer.

The next one is particularly fun as it is clearly indicative of bad Flash coding practices. The clickTag variable is wide open on smiley.swf. Follow this URL, then click the super happy swf! Hurray!

I hereby declare the creation of a new Holisticinfosec award for just such occasions, the ID Ten C Award.Don't get it? Spell it out and say it with me: ID 10 C...you should be able to handle it from there.Desktopsmiley.com, consider yourselves awarded, for being both annoying and insecure.

What is the best Toolmsith tool of the last ten years?

ASJA Awards Prize Winning Article

Subscribe To HolisticInfoSec

About Me

Russ McRee runs the Blue Team for Microsoft's Windows and Devices Group (WDG). He writes the monthly column toolsmith. Russ has spoken infosec events such Defcon, Black Hat, RSA,and FIRST and has published in the likes of Information Security, Linux Magazine, (IN)SECURE, and SysAdmin. As an advocate of a holistic approach to information security, Russ' website is holisticinfosec.org.
He also serves as a volunteer handler for the SANS Internet Storm Center.